We are testing our app in docker and found that seccomp introduces significant overhead. As when we run our app on docker and compare with the tests executed on baremetal machine, we found 20% performance degradation on docker. If we disable seccomp for our tests then performance is almost at par with the BM machine. For our test, we are using the same BM machine for docker and BM tests.
We tried to upgrade libseccomp by following the thread seccomp/libseccomp#116 and built the libseccomp2.5 rpm package. However, we do not find an option from docker to pass the following flag to use a binary tree for efficient searching as per the following link:
https://github.com/seccomp/libseccomp/blob/master/tests/53-sim-binary_tree.c#L115
It seems we need to enable following but not sure how:
typically called ctx), they need to run this command:
rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
Additional information you deem important (e.g. issue happens only occasionally):
Output of docker version:
rpm -qa | grep docker
docker-cli-19.03.1.ol-1.0.0.el7.x86_64
docker-engine-19.03.1.ol-1.0.0.el7.x86_64
Output of docker info:
docker info
Client:
Debug Mode: false
Server:
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 22
Server Version: 19.03.1-ol
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: c4446665cb9c30056f4998ed953e6d4ff22c7c39
runc version: 4bb1fe4ace1a32d3676bb98f5d3b6a4e32bf6c58
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.14.35-1902.9.2.el7uek.x86_64
Operating System: Oracle Linux Server 7.7
OSType: linux
Architecture: x86_64
CPUs: 72
Total Memory: 376.4GiB
Name: scaoda7121.us.oracle.com
ID: GUBV:R7PV:P33U:OFBG:XRAL:ROPI:DLV3:BYYN:5VN7:M5RU:X3M7:5SFA
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy:
HTTPS Proxy:
No Proxy:
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Additional environment details (AWS, VirtualBox, physical, etc.):
This machine is bare metal machine.
We are testing our app in docker and found that seccomp introduces significant overhead. As when we run our app on docker and compare with the tests executed on baremetal machine, we found 20% performance degradation on docker. If we disable seccomp for our tests then performance is almost at par with the BM machine. For our test, we are using the same BM machine for docker and BM tests.
We tried to upgrade libseccomp by following the thread seccomp/libseccomp#116 and built the libseccomp2.5 rpm package. However, we do not find an option from docker to pass the following flag to use a binary tree for efficient searching as per the following link:
https://github.com/seccomp/libseccomp/blob/master/tests/53-sim-binary_tree.c#L115
It seems we need to enable following but not sure how:
typically called
ctx), they need to run this command:Additional information you deem important (e.g. issue happens only occasionally):
Output of
docker version:Output of
docker info:Additional environment details (AWS, VirtualBox, physical, etc.):
This machine is bare metal machine.